path: root/baserock_gerrit/All-Projects/project.config

# Top-level access controls for projects on Baserock Gerrit.

# These can be overridden by a project's own project.config file. They are also
# overridden by the config of a project's parent repo, if it is set to something
# other than the default parent project 'All-Projects'.

# Useful references:
#
#   https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html
#   https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst

# To deploy changes to this file, you need to manually commit it and push it to
# the 'refs/meta/config' ref of the All-Projects repo in Gerrit.

[project]
	description = Access inherited by all other projects.

[receive]
	requireContributorAgreement = false
	requireSignedOffBy = false
	requireChangeId = true

[submit]
	mergeContent = true
	action = rebase if necessary

[capability]
	administrateServer = group Administrators
	priority = batch group Non-Interactive Users
	streamEvents = group Non-Interactive Users

	createProject = group Mirroring Tools

# Everyone can read everything.
[access "refs/*"]
	read = group Administrators
	read = group Anonymous Users


# Developers can propose changes. All 'Registered Users' are 'Developers'.
[access "refs/for/refs/*"]
	push       = group Developers
	pushMerge  = group Developers


[access "refs/heads/*"]
	forgeAuthor       = group Developers
	rebase            = group Developers
	label-Code-Review = -2..+2 group Mergers
	submit            = group Mergers
	label-Code-Review = -1..+1 group Reviewers
#	label-Verified    = -1..+1 group Testers

	create            = group Administrators
	forgeAuthor       = group Administrators
	forgeCommitter    = group Administrators
	push              = group Administrators
	create            = group Project Owners
	forgeAuthor       = group Project Owners
	forgeCommitter    = group Project Owners
	push              = group Project Owners
	create            = group Mergers
	forgeAuthor       = group Mergers
	push              = +force group Mergers

	create            = group Mirroring Tools
	forgeAuthor       = group Mirroring Tools
	forgeCommitter    = group Mirroring Tools
	push              = +force group Mirroring Tools


# Nobody should be able to force push to 'master'. In particular, if Lorry
# can force-push master then it will do, in the course of mirroring from
# git.baserock.org, and this may undo merges that Gerrit just did and really
# confuse things.
[access "refs/heads/master"]
	exclusiveGroupPermissions = push
	push                      = block +force group Mergers
	push                      = block +force group Mirroring Tools


[access "refs/tags/*"]
	pushTag        = group Release Team
	pushSignedTag  = group Release Team

	pushTag        = group Administrators
	pushSignedTag  = group Administrators
	pushTag        = group Project Owners
	pushSignedTag  = group Project Owners

	create         = group Mirroring Tools
	forgeAuthor    = group Mirroring Tools
	forgeCommitter = group Mirroring Tools
	push           = +force group Mirroring Tools
	pushTag        = +force group Mirroring Tools
	pushSignedTag  = +force group Mirroring Tools


# Changing project configuration is allowed for Administrators only. (In theory
# anyone who owns a project can change its permissions, but right now all
# projects should be owned by the Administrators group).
[access "refs/meta/config"]
	exclusiveGroupPermissions = read

	read = group Administrators
	push = group Administrators
	read = group Project Owners
	push = group Project Owners

[label "Code-Review"]
	function = MaxWithBlock
	copyMinScore = true
	value = -2 Do not merge
	value = -1 This patch needs further work before it can be merged
	value =  0 No score
	value = +1 Looks good to me, but someone else must approve
	value = +2 Looks good to me, approved

# Disabled for now, because there is no automated test tool hooked up to our
# Gerrit yet.
#[label "Verified"]
#	function = MaxWithBlock
#	value = -1 Failed
#	value =  0 No score
#	value = +1 Verified